SCC check: API and validation

Author: sdminonne

pkg/api/install/install.go

@@ -14,6 +14,7 @@ import (
 	_ "github.com/openshift/origin/pkg/project/api/install"
 	_ "github.com/openshift/origin/pkg/route/api/install"
 	_ "github.com/openshift/origin/pkg/sdn/api/install"
+	_ "github.com/openshift/origin/pkg/security/api/install"
 	_ "github.com/openshift/origin/pkg/template/api/install"
 	_ "github.com/openshift/origin/pkg/user/api/install"
 )

pkg/api/register.go

@@ -12,6 +12,7 @@ import (
 	_ "github.com/openshift/origin/pkg/project/api"
 	_ "github.com/openshift/origin/pkg/route/api"
 	_ "github.com/openshift/origin/pkg/sdn/api"
+	_ "github.com/openshift/origin/pkg/security/api"
 	_ "github.com/openshift/origin/pkg/template/api"
 	_ "github.com/openshift/origin/pkg/user/api"
 )

pkg/api/v1/register.go

@@ -11,6 +11,7 @@ import (
 	_ "github.com/openshift/origin/pkg/project/api/v1"
 	_ "github.com/openshift/origin/pkg/route/api/v1"
 	_ "github.com/openshift/origin/pkg/sdn/api/v1"
+	_ "github.com/openshift/origin/pkg/security/api/v1"
 	_ "github.com/openshift/origin/pkg/template/api/v1"
 	_ "github.com/openshift/origin/pkg/user/api/v1"
 )

pkg/api/validation/register.go

@@ -11,6 +11,7 @@ import (
 	projectvalidation "github.com/openshift/origin/pkg/project/api/validation"
 	routevalidation "github.com/openshift/origin/pkg/route/api/validation"
 	sdnvalidation "github.com/openshift/origin/pkg/sdn/api/validation"
+	securityvalidation "github.com/openshift/origin/pkg/security/api/validation"
 	templatevalidation "github.com/openshift/origin/pkg/template/api/validation"
 	uservalidation "github.com/openshift/origin/pkg/user/api/validation"
 	extvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
@@ -23,6 +24,7 @@ import (
 	projectapi "github.com/openshift/origin/pkg/project/api"
 	routeapi "github.com/openshift/origin/pkg/route/api"
 	sdnapi "github.com/openshift/origin/pkg/sdn/api"
+	securityapi "github.com/openshift/origin/pkg/security/api"
 	templateapi "github.com/openshift/origin/pkg/template/api"
 	userapi "github.com/openshift/origin/pkg/user/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@@ -88,4 +90,8 @@ func registerAll() {
 	Validator.MustRegister(&userapi.Identity{}, uservalidation.ValidateIdentity, uservalidation.ValidateIdentityUpdate)
 	Validator.MustRegister(&userapi.UserIdentityMapping{}, uservalidation.ValidateUserIdentityMapping, uservalidation.ValidateUserIdentityMappingUpdate)
 	Validator.MustRegister(&userapi.Group{}, uservalidation.ValidateGroup, uservalidation.ValidateGroupUpdate)
+
+	Validator.MustRegister(&securityapi.PodSecurityPolicySubjectReview{}, securityvalidation.ValidatePodSecurityPolicySubjectReview, nil)
+	Validator.MustRegister(&securityapi.PodSecurityPolicySelfSubjectReview{}, securityvalidation.ValidatePodSecurityPolicySelfSubjectReview, nil)
+	Validator.MustRegister(&securityapi.PodSecurityPolicyReview{}, securityvalidation.ValidatePodSecurityPolicyReview, nil)
 }

pkg/cmd/cli/describe/describer_test.go

@@ -24,6 +24,7 @@ import (
 	oauthapi "github.com/openshift/origin/pkg/oauth/api"
 	projectapi "github.com/openshift/origin/pkg/project/api"
 	sdnapi "github.com/openshift/origin/pkg/sdn/api"
+	securityapi "github.com/openshift/origin/pkg/security/api"
 
 	// install all APIs
 	_ "github.com/openshift/origin/pkg/api/install"
@@ -65,6 +66,9 @@ var DescriberCoverageExceptions = []reflect.Type{
 	reflect.TypeOf(&authorizationapi.LocalSubjectAccessReview{}),
 	reflect.TypeOf(&authorizationapi.LocalResourceAccessReview{}),
 	reflect.TypeOf(&authorizationapi.SelfSubjectRulesReview{}),
+	reflect.TypeOf(&securityapi.PodSecurityPolicySubjectReview{}),
+	reflect.TypeOf(&securityapi.PodSecurityPolicySelfSubjectReview{}),
+	reflect.TypeOf(&securityapi.PodSecurityPolicyReview{}),
 }
 
 // MissingDescriberCoverageExceptions is the list of types that were missing describer methods when I started

pkg/cmd/cli/describe/printer_test.go

@@ -19,6 +19,7 @@ import (
 	deployapi "github.com/openshift/origin/pkg/deploy/api"
 	imageapi "github.com/openshift/origin/pkg/image/api"
 	projectapi "github.com/openshift/origin/pkg/project/api"
+	securityapi "github.com/openshift/origin/pkg/security/api"
 )
 
 // PrinterCoverageExceptions is the list of API types that do NOT have corresponding printers
@@ -44,6 +45,9 @@ var PrinterCoverageExceptions = []reflect.Type{
 	reflect.TypeOf(&buildapi.BinaryBuildRequestOptions{}),
 	reflect.TypeOf(&buildapi.BuildRequest{}),
 	reflect.TypeOf(&buildapi.BuildLogOptions{}),
+	reflect.TypeOf(&securityapi.PodSecurityPolicySubjectReview{}),
+	reflect.TypeOf(&securityapi.PodSecurityPolicySelfSubjectReview{}),
+	reflect.TypeOf(&securityapi.PodSecurityPolicyReview{}),
 }
 
 // MissingPrinterCoverageExceptions is the list of types that were missing printer methods when I started

pkg/scheduler/admission/podnodeconstraints/admission.go

@@ -21,6 +21,7 @@ import (
 	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
 	deployapi "github.com/openshift/origin/pkg/deploy/api"
 	"github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints/api"
+	securityapi "github.com/openshift/origin/pkg/security/api"
 )
 
 func init() {
@@ -77,6 +78,9 @@ var resourcesToCheck = map[unversioned.GroupResource]unversioned.GroupKind{
 // we choose not to handle in this plugin
 var resourcesToIgnore = []unversioned.GroupKind{
 	extensions.Kind("DaemonSet"),
+	securityapi.Kind("PodSecurityPolicySelfSubjectReview"), // TODO: should this go through admission?
+	securityapi.Kind("PodSecurityPolicySubjectReview"),     // TODO: should this go through admission?
+	securityapi.Kind("PodSecurityPolicyReview"),            // TODO: should this go through admission?
 }
 
 func shouldCheckResource(resource unversioned.GroupResource, kind unversioned.GroupKind) (bool, error) {

pkg/scheduler/admission/podnodeconstraints/admission_test.go

@@ -450,7 +450,7 @@ func hasPodSpec(t reflect.Type) bool {
 		if t == podSpecType {
 			return true
 		}
-		for i := 1; i < t.NumField(); i++ {
+		for i := 0; i < t.NumField(); i++ {
 			if hasPodSpec(t.Field(i).Type) {
 				return true
 			}

pkg/security/api/deep_copy_generated.go

@@ -0,0 +1,143 @@
+// +build !ignore_autogenerated
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package api
+
+import (
+	api "k8s.io/kubernetes/pkg/api"
+	unversioned "k8s.io/kubernetes/pkg/api/unversioned"
+	conversion "k8s.io/kubernetes/pkg/conversion"
+)
+
+func init() {
+	if err := api.Scheme.AddGeneratedDeepCopyFuncs(
+		DeepCopy_api_PodSecurityPolicyReview,
+		DeepCopy_api_PodSecurityPolicyReviewSpec,
+		DeepCopy_api_PodSecurityPolicyReviewStatus,
+		DeepCopy_api_PodSecurityPolicySelfSubjectReview,
+		DeepCopy_api_PodSecurityPolicySelfSubjectReviewSpec,
+		DeepCopy_api_PodSecurityPolicySubjectReview,
+		DeepCopy_api_PodSecurityPolicySubjectReviewSpec,
+		DeepCopy_api_PodSecurityPolicySubjectReviewStatus,
+		DeepCopy_api_ServiceAccountPodSecurityPolicyReviewStatus,
+	); err != nil {
+		// if one of the deep copy functions is malformed, detect it immediately.
+		panic(err)
+	}
+}
+
+func DeepCopy_api_PodSecurityPolicyReview(in PodSecurityPolicyReview, out *PodSecurityPolicyReview, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_api_PodSecurityPolicyReviewSpec(in.Spec, &out.Spec, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_api_PodSecurityPolicyReviewStatus(in.Status, &out.Status, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_api_PodSecurityPolicyReviewSpec(in PodSecurityPolicyReviewSpec, out *PodSecurityPolicyReviewSpec, c *conversion.Cloner) error {
+	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+		return err
+	}
+	if in.ServiceAccountNames != nil {
+		in, out := in.ServiceAccountNames, &out.ServiceAccountNames
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.ServiceAccountNames = nil
+	}
+	return nil
+}
+
+func DeepCopy_api_PodSecurityPolicyReviewStatus(in PodSecurityPolicyReviewStatus, out *PodSecurityPolicyReviewStatus, c *conversion.Cloner) error {
+	if in.AllowedServiceAccounts != nil {
+		in, out := in.AllowedServiceAccounts, &out.AllowedServiceAccounts
+		*out = make([]ServiceAccountPodSecurityPolicyReviewStatus, len(in))
+		for i := range in {
+			if err := DeepCopy_api_ServiceAccountPodSecurityPolicyReviewStatus(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.AllowedServiceAccounts = nil
+	}
+	return nil
+}
+
+func DeepCopy_api_PodSecurityPolicySelfSubjectReview(in PodSecurityPolicySelfSubjectReview, out *PodSecurityPolicySelfSubjectReview, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_api_PodSecurityPolicySelfSubjectReviewSpec(in.Spec, &out.Spec, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in.Status, &out.Status, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_api_PodSecurityPolicySelfSubjectReviewSpec(in PodSecurityPolicySelfSubjectReviewSpec, out *PodSecurityPolicySelfSubjectReviewSpec, c *conversion.Cloner) error {
+	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_api_PodSecurityPolicySubjectReview(in PodSecurityPolicySubjectReview, out *PodSecurityPolicySubjectReview, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_api_PodSecurityPolicySubjectReviewSpec(in.Spec, &out.Spec, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in.Status, &out.Status, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_api_PodSecurityPolicySubjectReviewSpec(in PodSecurityPolicySubjectReviewSpec, out *PodSecurityPolicySubjectReviewSpec, c *conversion.Cloner) error {
+	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+		return err
+	}
+	out.User = in.User
+	if in.Groups != nil {
+		in, out := in.Groups, &out.Groups
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.Groups = nil
+	}
+	return nil
+}
+
+func DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in PodSecurityPolicySubjectReviewStatus, out *PodSecurityPolicySubjectReviewStatus, c *conversion.Cloner) error {
+	if in.AllowedBy != nil {
+		in, out := in.AllowedBy, &out.AllowedBy
+		*out = new(api.ObjectReference)
+		if err := api.DeepCopy_api_ObjectReference(*in, *out, c); err != nil {
+			return err
+		}
+	} else {
+		out.AllowedBy = nil
+	}
+	out.Reason = in.Reason
+	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_api_ServiceAccountPodSecurityPolicyReviewStatus(in ServiceAccountPodSecurityPolicyReviewStatus, out *ServiceAccountPodSecurityPolicyReviewStatus, c *conversion.Cloner) error {
+	if err := DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in.PodSecurityPolicySubjectReviewStatus, &out.PodSecurityPolicySubjectReviewStatus, c); err != nil {
+		return err
+	}
+	out.Name = in.Name
+	return nil
+}

pkg/security/api/install/install.go

@@ -0,0 +1,108 @@
+package install
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+
+	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/apimachinery"
+	"k8s.io/kubernetes/pkg/apimachinery/registered"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/util/sets"
+
+	"github.com/openshift/origin/pkg/security/api"
+	"github.com/openshift/origin/pkg/security/api/v1"
+)
+
+const importPrefix = "github.com/openshift/origin/pkg/security/api"
+
+var accessor = meta.NewAccessor()
+
+// availableVersions lists all known external versions for this group from most preferred to least preferred
+var availableVersions = []unversioned.GroupVersion{v1.SchemeGroupVersion}
+
+func init() {
+	registered.RegisterVersions(availableVersions)
+	externalVersions := []unversioned.GroupVersion{}
+	for _, v := range availableVersions {
+		if registered.IsAllowedVersion(v) {
+			externalVersions = append(externalVersions, v)
+		}
+	}
+	if len(externalVersions) == 0 {
+		glog.Infof("No version is registered for group %v", api.GroupName)
+		return
+	}
+
+	if err := registered.EnableVersions(externalVersions...); err != nil {
+		panic(err)
+	}
+	if err := enableVersions(externalVersions); err != nil {
+		panic(err)
+	}
+}
+
+// TODO: enableVersions should be centralized rather than spread in each API
+// group.
+// We can combine registered.RegisterVersions, registered.EnableVersions and
+// registered.RegisterGroup once we have moved enableVersions there.
+func enableVersions(externalVersions []unversioned.GroupVersion) error {
+	addVersionsToScheme(externalVersions...)
+	preferredExternalVersion := externalVersions[0]
+
+	groupMeta := apimachinery.GroupMeta{
+		GroupVersion:  preferredExternalVersion,
+		GroupVersions: externalVersions,
+		RESTMapper:    newRESTMapper(externalVersions),
+		SelfLinker:    runtime.SelfLinker(accessor),
+		InterfacesFor: interfacesFor,
+	}
+
+	if err := registered.RegisterGroup(groupMeta); err != nil {
+		return err
+	}
+	kapi.RegisterRESTMapper(groupMeta.RESTMapper)
+	return nil
+}
+
+func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
+	// add the internal version to Scheme
+	api.AddToScheme(kapi.Scheme)
+	// add the enabled external versions to Scheme
+	for _, v := range externalVersions {
+		if !registered.IsEnabledVersion(v) {
+			glog.Errorf("Version %s is not enabled, so it will not be added to the Scheme.", v)
+			continue
+		}
+		switch v {
+		case v1.SchemeGroupVersion:
+			v1.AddToScheme(kapi.Scheme)
+		default:
+			glog.Errorf("Version %s is not known, so it will not be added to the Scheme.", v)
+			continue
+		}
+	}
+}
+
+func newRESTMapper(externalVersions []unversioned.GroupVersion) meta.RESTMapper {
+	rootScoped := sets.NewString()
+	ignoredKinds := sets.NewString()
+	return kapi.NewDefaultRESTMapper(externalVersions, interfacesFor, importPrefix, ignoredKinds, rootScoped)
+}
+
+func interfacesFor(version unversioned.GroupVersion) (*meta.VersionInterfaces, error) {
+	switch version {
+	case v1.SchemeGroupVersion:
+		return &meta.VersionInterfaces{
+			ObjectConvertor:  kapi.Scheme,
+			MetadataAccessor: accessor,
+		}, nil
+
+	default:
+		g, _ := registered.Group(api.GroupName)
+		return nil, fmt.Errorf("unsupported storage version: %s (valid: %v)", version, g.GroupVersions)
+	}
+}